Google Workspace Security Incidents Under Investigation

Google Workspace security incidents currently under investigation involve several sophisticated threats, including OAuth token compromises linked to third-party integrations like Salesloft Drift, widespread voice‑phishing (vishing) campaigns targeting single sign-on (SSO) systems, and token‑stealing malware attacks. These are active investigations, not breaches of Google’s core infrastructure, but they pose real risks to organizations using Google Workspace tools.

Overview of Ongoing Investigations into Workspace Security Incidents

Drift Email OAuth Token Compromise

In August 2025, threat actors tied to a widespread Salesforce data-theft campaign leveraged compromised OAuth tokens from the Salesloft Drift integration to access email accounts in a small number of Google Workspace domains. Google’s Threat Intelligence Group (GTIG) quickly revoked the impacted OAuth tokens and disabled the integration while notifying affected administrators .

This incident highlights the risks of third-party integrations: even when Google Workspace itself isn’t breached, external tools can become avenues for unauthorized access.

ShinyHunters SSO Vishing Campaigns

ShinyHunters (linked to clusters such as UNC6661, UNC6240, and UNC6395) have stepped up vishing campaigns throughout late 2025 and into 2026. Attackers impersonate IT staff in voice phishing calls to convince employees to divulge SSO credentials and MFA codes for platforms like Google SSO, Okta, and Entra. These credentials are then used to infiltrate cloud services for data theft and extortion .

Okta confirmed that these were social engineering-based attacks, not product vulnerability exploits . The sophistication of real-time phishing pages that mimic legitimate authentication flows makes this attack vector especially worrisome.

Token-Stealing Malware and Device-Bound Session Credentials (DBSC)

Token-theft remains a potent threat. In mid-2025, Google introduced Device Bound Session Credentials (DBSC) to curb session cookie hijacking—where attackers use malware to steal session tokens and bypass 2FA. DBSC ties session tokens to specific devices, which mitigates stolen cookie misuse .

Despite this improvement, attacks persist, particularly in environments still reliant on legacy authentication or lacking stronger protections like passkeys or FIDO2.

Investigative Scope and Risk Assessment

Google continues to investigate and monitor these incidents:

• OAuth token misuse (e.g., Salesloft Drift) remains under scrutiny, with GTIG actively checking integration dependencies and access logs.
• Vishing campaigns are dynamic and evolving, with new phishing infrastructure appearing regularly.
• Token-theft techniques keep advancing, especially against organizations that have not adopted newer defenses.

No evidence suggests a breach in Google’s core infrastructure; rather, attackers exploit human vulnerabilities, integration exposures, and legacy authentication methods.

Preventive Measures and Responses

Google’s Actions

• Revoked compromised OAuth tokens and disabled affected integrations .
• Released DBSC to defend against cookie theft attacks .
• Issued vishing warnings, urging organizations to deploy phishing-resistant MFA and implement Zero Trust Network Architecture .

Recommended Best Practices

Organizations can take proactive steps to reduce exposure:

• Regularly review and audit third-party app permissions and OAuth integrations.
• Move from SMS-based 2FA to phishing-resistant methods like FIDO2 hardware keys or passkeys.
• Conduct ongoing security training that emphasizes detecting vishing attempts and unfamiliar domains.
• Deploy Endpoint Verification and other behavioral tools via Google Workspace’s Security Center and Alert Center .
• Consider Zero Trust strategies that minimize downstream impact if credentials are compromised.

“Implementing phishing-resistant MFA methods and zero-trust principles can dramatically reduce the threat surface exposed by vishing and token-based attacks,” says a cybersecurity operations lead.

Real-World Context and Broader Threat Trends

These Workspace incidents aren’t isolated:

• The Salesforce/Drift incident traces to ShinyHunters’ broader campaign that impacted companies like Google, LVMH, Qantas, Allianz, Pandora, and Chanel via OAuth exploitation .
• The Okta vishing wave marks a move into enterprise-grade SSO targeting—a shift from opportunistic phishing to high-value credential capture .
• DBSC’s deployment follows high-profile malware attacks like the 2023 Linus Tech Tips breach, reminding us how persistent such threats remain .

These incidents demonstrate how non-Google vulnerabilities—human error, integration misconfigurations, and weak authentication—can become critical failure points.

Conclusion

Active investigations into Google Workspace security incidents focus on compromised OAuth tokens, vishing attacks, and session token theft—exposures driven by social engineering and integration weaknesses, not product flaws. Google and its customers are responding through defense upgrades like OAuth revocation, Device Bound Session Credentials, phishing-resistant MFA, and improved visibility via security tooling.

Moving ahead, organizations must stay vigilant: audit integrations, adopt stronger authentication paradigms, train employees against vishing, and embrace Zero Trust. By marrying these measures with visibility tools like Workspace’s Security Center, teams can better detect and disrupt emerging threats.

FAQs

What is being investigated in Google Workspace now?

Currently, investigations focus on OAuth token misuse via Salesloft Drift, vishing-based SSO credential compromise, and session token theft through malware and phishing techniques.

Did these incidents breach Google’s core systems?

No—investigations indicate attackers exploited third-party integrations, phishing, and weak authentication—not vulnerabilities in Google’s own infrastructure.

How can organizations reduce risk from these threats?

Implement phishing-resistant MFA (like FIDO2 keys or passkeys), audit and monitor third-party integrations, enable security features like DBSC, and train employees to spot vishing attacks.

What is Device Bound Session Credentials (DBSC)?

DBSC is a protection that binds session cookies to the specific device that initiated a login, making stolen tokens unusable elsewhere and reducing token theft risk.

Should we stop using third-party integrations entirely?

Not necessarily—but it’s crucial to regularly review permissions, limit scope, ensure trusted vendors, and immediately disable access when suspicious activity is detected.

How does Google help admins respond to threat findings?

Workspace administrators can use tools like the Alert Center and Security Center to investigate alerts, secure accounts, and respond proactively to findings flagged by Google’s monitoring systems.